Facebook users are sending scary warnings to each other regarding a supposed new piece of malware spreading across the social network.

Attention!!!If you see anyone post out an application written "May God always bless this kind person below with peace, love and happiness", with your profile picture attached below, and send by your friend via Bold Text. Please DONT click "like" or "SHARE", is a spyware, and all your info at FB will be copy and reuse for other purpose. Please share this info out. Thanks......;)

The warnings are being spread rapidly by well-intentioned Facebook users, but the truth is that we have seen no evidence of any such spyware.

They have determined that rather than a genuine virus, the warning was kicked off by a Facebook application called Bold Text making over-exuberant, if not downright spammy, wall postings.

Over one million people are reported to have used the application, so clearly its self-promoting tactics are working.

If you see one of your friends reposting the warning about the ‘May God always bless..’ message then please tell them that it isn’t true that it’s a virus, and point them to this article or the information on Facecrooks.

And if you installed the Bold Text application, and aren’t enjoying the messages it is posting, you should revoke its access to your Facebook account.

It’s not the first time, of course, that Facebook users have been misled of the full facts by virus hoaxes. Most recently we have seen a bogus warning message about an Olympic Torch virus that could “burn the whole hard disc.. C of your computer”

Make sure that you stay informed about the latest genuine scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 100,000 people regularly share information on threats and discuss the latest security news.

TDSS variants

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.

The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.

TDL-3 encrypted disk with SHIZ modules

At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.

The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.

Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn’t have to worry about competition from those who bought TDL-3.

In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.

Yet another affiliate program

The way in which the new version of TDL works hasn’t changed so much as how it is spread – via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.

Affiliates spreading TDL

Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.

The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.

The ‘indestructible’ botnet

Encrypted network connections

One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.

Readers may recall that one of the distinguishing features of malware from the TDSS family is a configuration file containing descriptions of the key parameters used by various modules to maintain activity logs and communications with command and control servers.

Example of configuration file content

Compared to version 3, there are only negligible changes to the format of the configuration file. The main addition is the bsh parameter, an identifier which identifies the copy of the malware, and which is provided by the command and control sever the first time the bot connects. This identifier acts as one of the encryption keys for subsequent connections to the command and control server.

Part of the code modified to work with the TDL-4 protocol.

Upon protocol initialization, a swap table is created for the bot’s outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.

The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

An antivirus of its own

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

TDSS module code which searches the system registry for other malicious programs

TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.

Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.

TDSS downloads

Notably, TDL-4 doesn’t delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.

Botnet access to the Kad network

One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?

We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:

The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.

Computers infected with TDSS receive the command to download and install the kad.dll module.

Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.

The kad.dll module then sends a request to the Kad network to search for the ktzerules file.

Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.

Encrypted kad.dill updates found on the Kad network

Below is a list of commands from an encrypted ktzerules file.

SearchCfg – search Kad for a new ktzerules file

LoadExe – download and run the executable file

ConfigWrite – write to cfg.ini

Search – search Kad for a file

Publish – publish a file on Kad

Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.

The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.

How publicly accessible and closed KAD networks overlap

Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.

Kad.dll code responsible for sending commands from the TDL-4 cybercriminals

Furthermore, access to Kad makes it possible for the cybercriminals to download any files to botnet machines and make them accessible to the P2P users. This includes adult content files and stolen data bases.

The key threat that such a botnet poses is that even when its command and control centers are shut down, the botnet owners will not lose control over infected machines. However, the system does face two major obstacles:

By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.

When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.

Extended functionality

In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.

The proxy server module

A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.

Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month. For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.

Firefox add-on for anonymous Internet use via the TDSS botnet

64-bit support

The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.

List of botnet command and control center commands

Working with search engines

The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines. The newest innovation in the list of commands for TDSS is the SetName command, which assigns a number to each infected computer. For search engines and banner networks, TDSS uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.

List of search engines supported by TDSS

Botnet command and control servers

When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection. Since the beginning of the year, around 60 command and control centers have been identified across the globe.

Control serveraddress

Server address at thebeginning of February

Server address at the beginning of March

Percentage of mentions in C&C lists

01n02n4cx00.cc

noip

noip

0,05%

01n02n4cx00.com

91.212.226.5

noip

0,43%

01n20n4cx00.com

91.212.226.5

91.193.194.9

0,21%

0imh17agcla.com

77.79.13.28

91.207.192.22

0,80%

10n02n4cx00.com

194.28.113.20

194.28.113.20

0,22%

1il1il1il.com

91.212.158.72

91.212.158.72

6,89%

1l1i16b0.com

91.193.194.11

91.193.194.11

0,43%

34jh7alm94.asia

205.209.148.232

noip

0,03%

4gat16ag100.com

noip

noip

2,07%

4tag16ag100.com

178.17.164.129

91.216.122.250

6,69%

68b6b6b6.com

noip

noip

0,03%

69b69b6b96b.com

91.212.158.75

noip

6,89%

7gaur15eb71.com

195.234.124.66

195.234.124.66

6,85%

7uagr15eb71.com

noip

noip

2,07%

86b6b6b6.com

193.27.232.75

193.27.232.75

0,14%

86b6b96b.com

noip

noip

0,24%

9669b6b96b.com

193.27.232.75

193.27.232.75

0,22%

cap01tchaa.com

noip

noip

2,19%

cap0itchaa.com

noip

noip

0,58%

countri1l.com

91.212.226.6

91.212.158.72

6,89%

dg6a51ja813.com

91.216.122.250

93.114.40.221

6,85%

gd6a15ja813.com

91.212.226.5

91.212.226.5

2,07%

i0m71gmak01.com

noip

noip

0,80%

ikaturi11.com

91.212.158.75

noip

6,89%

jna0-0akq8x.com

77.79.13.28

77.79.13.28

0,80%

ka18i7gah10.com

93.114.40.221

93.114.40.221

6,85%

kai817hag10.com

noip

noip

2,07%

kangojim1.com

noip

noip

0,14%

kangojjm1.com

noip

noip

0,24%

kur1k0nona.com

68.168.212.21

68.168.212.21

2,19%

l04undreyk.com

noip

noip

0,58%

li1i16b0.com

noip

noip

0,05%

lj1i16b0.com

noip

noip

0,05%

lkaturi71.com

noip

noip

0,14%

lkaturl11.com

193.27.232.72

193.27.232.72

0,22%

lkaturl71.com

91.212.226.6

91.212.158.72

7,13%

lo4undreyk.com

68.168.212.18

93.114.40.221

2,19%

n16fa53.com

91.193.194.9

noip

0,05%

neywrika.in

noip

noip

0,14%

nichtadden.in

noip

noip

0,02%

nl6fa53.com

noip

noip

0,03%

nyewrika.in

noip

noip

0,03%

rukkeianno.com

noip

noip

0,08%

rukkeianno.in

noip

noip

0,08%

rukkieanno.in

noip

noip

0,03%

sh01cilewk.com

91.212.158.75

noip

2,19%

sho1cilewk.com

noip

noip

0,58%

u101mnay2k.com

noip

noip

2,19%

u101mnuy2k.com

noip

noip

0,58%

xx87lhfda88.com

91.193.194.8

noip

0,21%

zna61udha01.com

195.234.124.66

195.234.124.66

6,85%

zna81udha01.com

noip

noip

2,07%

zz87ihfda88.com

noip

noip

0,43%

zz87jhfda88.com

205.209.148.232

205.209.148.233

0,05%

zz87lhfda88.com

noip

noip

0,22%

A careful examination of this list reveals that the IP addresses of command and control centers are constantly changing, while some command and control centers are phased out altogether. These changes are due to the use of proxy servers, which hide the true location of the command and control centers.

Command and control server statistics

Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.

According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.

Distribution of TDL-4 infected computers by country

Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.

To be continued…

This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware. The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.

TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.

Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.

As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.

Oh, and you better be sure that you have changed your “secret answers” too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.

This security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.

If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.

We have noticed rogue antivirus software that pretends to be the AVG Anti-Virus 2011. As usually social engineering is in use - well known names (AVG, Microsoft Security Essentials) and designs of trusted applications are present in order to increase credibility.

Threat Killer is a fully-scriptable malware remover able to remove persistent files, kernel drivers installed by rootkits, registry keys and values, terminate processes (even if critical), delete an entire folder (also using recursive) and much more by executing custom scripts.

The scripts are executed in runtime and you should be able to remove a specific malware without the need to reboot the computer, however is possible that to remove nasty malware is needed to reboot the computer.

It is strongly recommended to use Threat Kill only under qualified supervision, certain misuses of this program can create problems on your system.

Malicious hackers have spammed out an attack that pretends to be an email from Facebook support saying that your password has been changed.

The messages, which have a variety of subject lines including “Facebook Service. A new password is sent you”, “Facebook Support. Your password has been changed” and “Facebook Service. Your account is blocked”, have a ZIP file attached which carries a Trojan horse.

Good afternoon.

A spam is sent from your Facebook account.Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.Read this information thoroughly and change the password to complicated one.

Thank you for your attention,Facebook Service.

Sophos products detect the attached ZIP file as Mal/BredoZp-B, and the Trojan horse contained within as Troj/Agent-PLG.

It’s possible that the attackers are attempting to exploit the problems many female Facebook users had this week when the social network disabled many accounts by accident.

Don’t forget – you should always be extremely suspicious of any unsolicited email which arrives out of the blue, encouraging you to open an attachment.

A new member of the Koobface family of malware has been making the headlines in the last 24 hours. The reason why the threat, which is sometimes being referred to as “Boonana”, has been getting so much attention is that it doesn’t just infect Windows, but targets Mac OS X and Linux computers too.

This incarnation of the Koobface worm appears to have been spread via Facebook in messages asking “is this you in this video”.

IMPORTANT! PLEASE READ. Hi <username>. Is this you in this video here : <link>

Clicking on the link takes you to an external website that displays an image of a woman (grabbed from the Hot Or Not website).

Visitors to the webpage who want to see more are prompted to give permission for an applet called JPhotoAlbum.class to be run from inside a Java Archive (JAR) called JNANA.TSA.

Whether you are running Windows, Mac OS X or Linux on your computer, if you give permission for the highly obfuscated Java app to run then the malware will sneakily download a variety of programs from the internet which it will then execute on your computer.

Sophos detects various components of the attack as Troj/KoobStrt-A, Troj/KoobInst-A, Troj/KoobCls-A, Troj/Agent-PDY, Troj/DwnLdr-IOX, and Troj/DwnLdr-IOY. In addition, Sophos’s web protection blocks access to the malicious webpages.

Don’t forget to always be careful about what links you click on, even if they appear to have been shared by someone you know on Facebook.

And if you’re a user of Linux or Mac OS X, don’t think that the malware problem only exists on Windows. Malicious hackers are becoming increasingly interested in targeting other platforms, and if users of your operating system have a reputation for being dismissive of malware warnings on your preferred OS, the bad guys may consider you a soft target.

When others fail to properly clean up…

Malware infections are not always easy to clean up. These days the software pests use clever techniques to protect themselves from being deleted. In more and more cases it is almost impossible to delete a Malware file while Windows is running.

Files and registry entries are often locked in different ways to prevent them from being deleted. Active Malware processes monitor each other and start each other anew as soon as one of them is destroyed.

The only solution is to delete the pests during the Windows Boot process – before any Malware has started running and has activated its self-protection mechanisms.